Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Home Depot Breach Cost Company $43 Million in Third Quarter

The massive Home Depot data breach disclosed earlier this fall involved the theft of 56 million credit and debit card numbers, and now the company has revealed that the incident so far has cost it $43 million.

The costs are the result of both the investigation into the data breach as well as the recovery from it, including hiring security experts to find the details of the attack, bringing in more call center workers to handle consumer questions and paying for credit monitoring, among other things. In a financial filing on Tuesday, Home Depot said that as much as $15 million of those charges could be recoverable through insurance coverage.

The Home Depot breach is one of the larger such incidents on record, with 53 million email addresses also stolen by the attackers.

The Home Depot breach is one of the larger such incidents on record, with 53 million email addresses also stolen by the attackers. Company officials said the incident was the result of attackers using compromised vendor credentials to gain access to the Home Depot network and then move internally. Ultimately, the attackers gained access to the point-of-sale system, where all the damage was done.

“The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada,” Home Depot said in a statement earlier this month.

In its quarterly financial filing on Tuesday, Home Depot officials said the company is still investigating the data breach, but that it has rolled out some security enhancements in the weeks after the compromise, with more to come.

“The Company has completed a major payment security project that provides enhanced encryption of payment card data at the point of sale in all of the Company’s U.S. stores, offering significant new protection for customers. The new security protection takes raw payment card information and scrambles it to make it unreadable to unauthorized users. Roll-out of enhanced encryption to Canadian stores will be completed by early 2015. The Company is also rolling out EMV chip-and-PIN technology in its U.S. stores, which adds extra layers of payment card protection for customers. Canadian stores are already enabled with EMV chip-and-PIN technology,” the report says.

Chip-and-PIN systems comprise a card with a chip inside and require a user to enter a PIN at the point of sale in order to complete the transaction. Such systems have been in use in Europe for several years but are just showing up in the United States. On top of the $43 million in costs associated with the breach Home Depot incurred in the third quarter, company officials say they could face further expenses from the incident in the coming months.

“In addition to the above expenses, the Company believes it is probable that the payment card networks will make claims against the Company. The ultimate amount of these claims will likely include amounts for incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks assert they or their issuing banks have incurred,” the company’s report says.

“Although an independent third-party assessor found the portion of the Company’s network that handles payment card data to be compliant with applicable data security standards in the fall of 2013, the process of obtaining such certification for 2014 was ongoing at the time of the Data Breach and the forensic investigator working on behalf of the payment card networks may claim that the Company was not in compliance with those standards at the time of the Data Breach. As a result, the Company believes it is probable that the payment card networks will make claims against it and that the Company will dispute those claims.”

Officials said it’s also likely that Home Depot will incur significant legal and professional services expenses in future months and that “it is reasonably possible that the ultimate amount paid on these services and claims could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.